Most small business networks are a single flat network - every device, from the MD's laptop to the CCTV system to the guest Wi-Fi, sits on the same subnet and can technically talk to everything else. That's fine until something goes wrong. When ransomware hits a workstation on a flat network, it can reach file servers, printers, IoT devices, and backup systems without crossing a single boundary. Segmentation is what stops that.
Network segmentation doesn't require an enterprise budget. If you have a managed switch and a firewall - Cisco, Ubiquiti, Palo Alto, pfSense, any of them - you can have a solid segmentation architecture in place in an afternoon.
Why Segmentation Matters
🔒 Security CaseNetwork segmentation is one of the most effective controls in the CIS Controls and Cyber Essentials frameworks, and one of the most skipped by small IT teams. The security case for it:
- Limits blast radius - if a device is compromised, the attacker can only reach devices on the same VLAN. They can't pivot directly to servers or sensitive systems.
- Contains ransomware spread - most ransomware spreads laterally using SMB, WMI, or RDP. Firewall rules between segments stop this dead.
- Isolates untrusted devices - BYOD, IoT, CCTV cameras, and guest devices should never be able to reach your corporate systems.
- Improves visibility - traffic between segments is logged at the firewall. Flat networks are silent. Segmented networks tell you when something unusual is happening.
VLAN Design for Small Organisations
🗂️ VLAN DesignFor a typical small-to-medium organisation (20–200 users), four to six VLANs covers almost every scenario. Here's a practical baseline:
| VLAN | Name | Subnet Example | What Goes Here |
|---|---|---|---|
| VLAN 10 | Corporate | 10.10.10.0/24 | Company laptops, desktops, Intune-managed devices |
| VLAN 20 | Servers | 10.10.20.0/24 | File servers, print servers, domain controllers, NAS |
| VLAN 30 | Management | 10.10.30.0/24 | Network infrastructure - switches, APs, firewalls, iDRAC/iLO |
| VLAN 40 | IoT / CCTV | 10.10.40.0/24 | IP cameras, smart TVs, printers, building systems |
| VLAN 50 | Guest | 10.10.50.0/24 | Guest Wi-Fi, BYOD, contractors on personal devices |
| VLAN 60 | VoIP | 10.10.60.0/24 | IP phones, SIP endpoints (if applicable) |
Trunking and Access Ports
On your managed switch, ports connected to end devices are configured as access ports assigned to a single VLAN. Ports connected to other switches, routers, or access points that carry multiple VLANs are trunk ports. Your firewall uplink should be a trunk carrying all VLANs - the firewall handles inter-VLAN routing and enforcement.
Firewall Rules Between Segments
🔥 Firewall RulesVLANs alone don't do anything without firewall rules to control traffic between them. The default posture should be deny all inter-VLAN traffic, then add explicit allow rules for only the traffic that's needed.
Guest Wi-Fi Isolation
📶 Guest Wi-FiGuest Wi-Fi is the most common segmentation gap in small business networks. Often it runs on the same subnet as corporate devices, or it's "isolated" at the AP level but the traffic still arrives on the corporate VLAN.
The correct implementation on modern APs (UniFi, Meraki, Cisco, etc.):
-
1Create a dedicated SSID for guestsSeparate SSID from your corporate Wi-Fi. Use WPA2/WPA3 Personal or an open network with a portal - not the same PSK as corporate.
-
2Tag guest SSID to Guest VLAN (VLAN 50)In your AP configuration, tag the guest SSID to VLAN 50. Traffic will arrive at your firewall tagged as VLAN 50 and be processed by the Guest firewall rules.
-
3Enable client isolation on the guest SSIDClient isolation prevents guest devices from seeing each other on the same SSID - stops one guest scanning another guest's device.
-
4Apply rate limitingOptional but recommended - limit guest bandwidth (e.g. 10Mbps down/5Mbps up) to prevent guests from saturating your internet connection.
IoT and BYOD Segmentation
📡 IoTIoT devices are some of the most exploited attack vectors in small business environments - largely because they sit on flat networks, run outdated firmware, and are forgotten about. IP cameras, smart TVs, building access systems, and printers all fall into this category.
The rule is simple: if it doesn't run Intune-managed software and you can't fully control it, it goes on the IoT VLAN. This includes:
- IP CCTV cameras and NVRs
- Smart TVs and presentation screens
- Network printers (unless managed via Intune Universal Print)
- Building access control systems
- UPS and PDU management interfaces
- Any BYOD device that isn't enrolled in Intune
Moving Towards Zero Trust
🔐 Zero TrustTraditional network segmentation assumes that devices on the corporate VLAN are trusted. Zero Trust rejects this assumption - trust is based on identity and device health, not network location. In a Microsoft 365 environment, you're already closer to Zero Trust than you might think.
The building blocks are already in place:
- Entra ID Conditional Access - blocks access to M365 resources unless the device is compliant (Intune enrolled, BitLocker enabled, etc.)
- Microsoft Defender for Endpoint - provides a device risk score that can be used as a Conditional Access signal
- Microsoft Intune compliance policies - define what "compliant" means and feed that into Conditional Access
- Entra ID Identity Protection - detects risky sign-ins and can automatically require MFA or block access
Combined with network segmentation, this gives you a layered defence: even if a device gets onto the corporate VLAN, it still can't access cloud resources unless it passes identity and compliance checks at the application layer.